Certification Provider: Palo Alto Networks
Exam: Palo Alto Networks Certified Network Security Engineer (PCNSE)
Exam Code: PCNSE v10
Total Question: 181
Question per Quiz: 75
Updated On: 20 April 2023
Note: In order to practice all the Q/A's, you have to practice multiple time. Question's and Answer's will be presented randomly and will help you get hands-on for real exam.
1.
The administrator for a small company has recently enabled decryption on their Palo Alto Networks firewall using a self-signed root certificate. They have also created a Forward Trust and Forward Untrust certificate and set them as such. The admin has not yet installed the root certificate onto client systems. What effect would this have on decryption functionality?
2.
What happens when an A P firewall cluster synchronies IPsec tunnel security associations (SAs)?
3.
You have upgraded Panorama to 10.2 and need to upgrade six Log Collectors. When upgrading Log Collectors to 10.2, you must do what?
4.
An administrator needs to troubleshoot a User-ID deployment. The administrator believes that there is an issue related to LDAP authentication. The administrator wants to create a packet capture on the management plane. Which CLI command should the administrator use to obtain the packet capture for validating the configuration?
5.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices. The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed. Which Panorama tool can help this organization?
6.
Which three options are supported in HA Lite? (Choose three.)
7.
As a best practice, which URL category should you target first for SSL decryption?
8.
An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?
9.
An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to "any". There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to "all". Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure?
10.
When overriding a template configuration locally on a firewall, what should you consider?
11.
Which three split tunnel methods are supported by a GlobalProtect Gateway? (Choose three.)
12.
Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?
13.
An administrator is using Panorama to manage me and suspects an IKE Crypto mismatch between peers, from the firewalls to Panorama. However, pre-existing logs from the firewalls are not appearing in Panorama. Which action should be taken to enable the firewalls to send their pre-existing logs to Panorama?
14.
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system. Where is the best place to validate if the firewall is blocking the user's TAR file?
15.
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two)
16.
The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
17.
Which option describes the operation of the automatic commit recovery feature?
18.
An engineer is planning an SSL decryption implementation Which of the following statements is a best practice for SSL decryption?
19.
Place the steps in the WildFire process workflow in their correct order. Select and Place:
20.
An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their Microsoft Azure. Which two statements are correct regarding the bootstrap package contents? (Choose two)
21.
To more easily reuse templates and template stacks, you can create template variables in place of firewall-specific and appliance-specific IP literals in your configurations. Which one is the correct configuration?
22.
Which feature checks Panorama connectivity status after a commit?
23.
Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?
24.
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure:
25.
An administrator receives the following error message: "IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id 172.16.33.33/24 type IPv4 address protocol 0 port 0." How should the administrator identify the root cause of this error message?
26.
A network administrator wants to use a certificate for the SSL/TLS Service Profile. Which type of certificate should the administrator use?
27.
Refer to the exhibit. An administrator cannot see any if the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct?
28.
WildFire will submit for analysis blocked files that match which profile settings?
29.
In a Panorama template which three types of objects are configurable? (Choose three)
30.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'?
31.
The following objects and policies are defined in a device group hierarchy. Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group NYC-DC has NYC-FW as a member of the NYC-DC device-group What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama?
32.
An administrator discovers that a file blocked by the WildFire inline ML feature on the firewall is a false-positive action. How can the administrator create an exception for this particular file?
33.
An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.)
34.
A firewall has Security policies from three sources: 1. locally created policies 2. shared device group policies as pre-rules 3. the firewall's device group as post-rules. How will the rule order populate once pushed to the firewall?
35.
Which CLI command is used to determine how much disk space is allocated to logs?
36.
An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?
37.
Which three statements accurately describe Decryption Mirror? (Choose three.)
38.
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken?
39.
An engineer wants to configure aggregate interfaces to increase bandwidth and redundancy between the firewall and switch. Which statement is correct about the configuration of the interfaces assigned to an aggregate interface group?
40.
An administrator is attempting to create policies tor deployment of a device group and template stack When creating the policies, the zone drop down list does not include the required zone. What must the administrator do to correct this issue?
41.
Which three statements accurately describe Decryption Mirror? (Choose three.)
42.
In a security-first network what is the recommended threshold value for content updates to be dynamically updated?
43.
When you navigate to Network: > GlobalProtect > Portals > Method section, which three options are available? (Choose three)
44.
An engineer is planning an SSL decryption implementation. Which of the following statements is a best practice for SSL decryption?
45.
A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs, the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?
46.
An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used After looking at the configuration, the administrator believes that the firewall is not using a static route What are two reasons why the firewall might not use a static route"? (Choose two.)
47.
Which two features require another license on the NGFW? (Choose two.)
48.
Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two.)
49.
Your company has to Active Directory domain controllers spread across multiple WAN links All users authenticate to Active Directory Each link has substantial network bandwidth to support all mission-critical applications. The firewalls management plane is highly utilized Given this scenario which type of User-ID agent is considered a best practice by Palo Alto Networks?
50.
When you configure an active/active high availability pair which two links can you use? (Choose two)
51.
Which rule type controls end user SSL traffic to external websites?
52.
Which GlobalProtect component must be configured to enable Clientless VPN?
53.
How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?
54.
An engineer must configure the Decryption Broker feature Which Decryption Broker security chain supports bi-directional traffic flow?
55.
Which option is part of the content inspection process?
56.
How can an administrator configure the firewall to automatically quarantine a device using GlobalProtect?
57.
Which statement about High Availability timer settings is true?
58.
An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?
59.
A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)
60.
What are two characteristic types that can be defined for a variable? (Choose two)
61.
Which two features require another license on the NGFW? (Choose two.)
62.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not?
63.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three)
64.
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes?
65.
When setting up a security profile, which three items can you use? (Choose three.)
66.
PBF can address which two scenarios? (Select Two)
67.
A firewall administrator has been tasked with ensuring that all Panorama-managed firewalls forward traffic logs to Panorama. In which section is this configured?
68.
The Aggregate Ethernet interface is showing down on a passive PA-7050 firewall of an active/passive HA pair. The HA Passive Link State is set to "Auto" under Device > High Availability > General > Active/Passive Settings. The AE interface is configured with LACP enabled and is up only on the active firewall. Why is the AE interface showing down on the passive firewall?
69.
A firewall has been assigned to a new template stack that contains both "Global" and "Local" templates in Panorama, and a successful commit and push has been performed. While validating the configuration on the local firewall, the engineer discovers that some settings are not being applied as intended. The setting values from the "Global" template are applied to the firewall instead of the "Local" template that has different values for the same settings. What should be done to ensure that the settings in the "Local" template are applied while maintaining settings from both templates?
70.
When you configure an active/active high availability pair, which two links can you use? (Choose two.)
71.
What are three types of Decryption Policy rules? (Choose three.)
72.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection?
73.
Which Panorama mode should be used so that all logs are sent to, and only stored in Cortex Data Lake?
74.
What are three reasons for excluding a site from SSL decryption? (Choose three.)
75.
An administrator notices that an interface configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement?